Stuxnet Infected Chevron’s IT Network

Reporter

Stuxnet, a sophisticated computer virus created by the United States and Israel, to spy on and attack Iran’s nuclear enrichment facilities in Natanz also infected Chevron’s network in 2010, shortly after it escaped from its intended target.

Chevron found Stuxnet in its systems after the malware was first reported in July 2010, said Mark Koelmel, general manager of the earth sciences department at Chevron. “I don’t think the U.S. government even realized how far it had spread,” he told CIO Journal. “I think the downside of what they did is going to be far worse than what they actually accomplished,” he said.

Vahid Salemi/AP Photo

An Iranian technician works at a uranium conversion facility just outside the city of Isfahan.

Chevron was not adversely affected by Stuxnet, says Chevron spokesman Morgan Crinklaw. “We make every effort to protect our data systems from those types of threats,” he said.

Chevron’s experience with Stuxnet appears to be the result of the unintentional (and perhaps, inevitable) release of malware upon a larger network, much like an experimental virus escaping from a medical lab. But many companies are also being specifically targeted, sometimes by less sophisticated actors attempting to retaliate against perceived U.S. cyber-aggression. Although they have fewer resources behind them, those guerrilla campaigns are nonetheless capable of doing real, physical damage to targeted plants.

Chevron is the first U.S. company to acknowledge that its systems were infected by Stuxnet, although most security experts believe the vast majority of hacking incidents go unreported for reasons of security or to avoid embarrassment. The devices used in industrial equipment and targeted by Stuxnet are made by huge companies, including Siemens (whose devices were in use at Iran’s facility). Millions of these devices have been sold around the world, so potentially every industrial company that uses these devices, called programmable logic controllers, or PLCs, are at risk of being infected.

Aramco said it quickly recovered from the August attack, but expects more attacks in the future. Rasgas says the August attack had no impact on its operations.

“The real worry that a lot of us have been talking about for a year or so is that instead of just stealing information, [hackers are] gaining control of target systems so that they can cause kinetic impact,” said Ed Skoudis, an expert who teaches cybersecurity classes at SANS, an organization that trains cybersecurity experts and conducts information security research.

“All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” said U.S. Secretary of Defense Leon Panetta in an October 11 speech at a Business Executives for National Security dinner. The virus is an example of an escalation that has happened in the scale and speed of cyber attacks during the last few months.

Employees who have a deep understanding of cybersecurity and the company’s systems are the only defense against a virus like Stuxnet that often target vulnerabilities that haven’t yet been identified by security researchers or patched by the software vendor, says Alan Paller, founder of SANS. Those employees need to understand malware and techniques like deep packet inspection, and have a deep knowledge of what the network traffic should look like. “There are probably only 18-20 people in the country who have those fundamental skills,” he said.

Unleashing potent cyber weapons points to the larger problem of blowback, where “somebody could recover malware assets, tweak them and use them,” said SANS’ Skoudis. He said portions of the Stuxnet code have already been reused in financial cybercrime to steal credit cards and bank account information.

The tacit acknowledgement by U.S. government officials that they created Stuxnet makes U.S. companies an even bigger target, said Paller at SANS. He says hackers last summer went from stealing information to using cyber attacks to cause destruction. Stuxnet “opened Pandora’s box,” he said. “Whatever restraint might have been holding damaging attacks back are gone.”

In the end, companies are left to clean up the mess associated with viruses such as Stuxnet. “We’re finding it in our systems and so are other companies,” said Chevron’s Koelmel. “So now we have to deal with this.”

Comments (5 of 15)

I heard that US antivirus firms don't have the possibility to work in the Middle East. Anyone got a comment on that?
(Thats why Kaspersky makes all these interesting detections, possibly.)

Btw, Kasperskys reputation for the public sector in the US seems lowish? Someone said sensitive environments are scratched just because Kaspersky antivirus was used. Anyone got a comment on that?

5:47 pm November 14, 2012

Kurt wrote:

Anything targetted or zero-day passes right through traditional IT security defenses. AV only looks for known bad malware and the amount of malware discovered has increased so much the big AV vendors are not able to keep up. Application Whitelisting, which denies anything outside of explicitly authorized applications or trust mechanisms, is a growing technology which better protects against these unknown attacks. Approve the known good and protect against everything else.

6:57 pm November 12, 2012

Cisko wrote:

Having Norton is like putting a fence around your property. Its "protects" you. but something as sophisticated as Stuxnet can just hop over the fence and invade. Same goes for any Anti-virus.

9:14 am November 12, 2012

Evan wrote:

@Aaron, Stuxnet used four different "zero-day" attacks to infect its targets, so even Norton couldn't stop it until it was discovered, many months after it was released.

10:25 pm November 11, 2012

Jones wrote:

Fascinating. A US / Israeli government created virus gets out of control and effects Chevron, and some how Murdoch's writers manage to turn this into an attack on "Iranian hackers" within a few paragraphs.

In this second article in a two-part series, Sonny Garg, senior vice president and chief information and innovation officer at Exelon Corp., the $27.4 billion competitive energy provider based in Chicago, describes the structure and inner workings of his emerging technologies team.